[GitHub] [spark] z47xu commented on a change in pull request #24421: [SPARK-12312][SQL]Support Kerberos login in JDBC connector

Tue, 12 Nov 2019 15:37:13 -0800 

z47xu commented on a change in pull request #24421: [SPARK-12312][SQL]Support 
Kerberos login in JDBC connector
URL: https://github.com/apache/spark/pull/24421#discussion_r345503064
 
 

 ##########
 File path: 
sql/core/src/main/scala/org/apache/spark/sql/execution/datasources/jdbc/JdbcUtils.scala
 ##########
 @@ -61,7 +65,23 @@ object JdbcUtils extends Logging {
         throw new IllegalStateException(
           s"Did not find registered driver with class $driverClass")
       }
-      val connection: Connection = driver.connect(options.url, 
options.asConnectionProperties)
+
+      val connection: Connection = {
+        if (options.keytab != null && options.principal != null) {
+          val keytabFileName = FilenameUtils.getName(options.keytab)
+          UserGroupInformation
+            .loginUserFromKeytabAndReturnUGI(options.principal, keytabFileName)
+            .doAs(new PrivilegedAction[Connection] {
+              override def run(): Connection = {
+                driver.connect(options.url, options.asConnectionProperties)
+              }
+            })
+        }
+        else {
 
 Review comment:
   Hi @misutoth , 
   
   1. Distributing keytab is based on the assumption of secure HDFS. Each 
executor requires a keytab to do kinit, so we have to distribute the keytab 
across different executors. If HDFS is secured, then the keytab should be safe.
   
   2. A user is required to upload the data to /spark/admin.keytab. This file 
is pre-uploaded by the user. 
   
   3. Since SQL server does not delegation token, we cannot use delegation 
token. If SQL server supports delegation token in the future, we can use a more 
efficient way to do the kinit. Right now we need to use keytab (or password) to 
do the kinit and this limit comes from SQL server side, not HDFS side. 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to